-
Notifications
You must be signed in to change notification settings - Fork 1
/
lecture2.html
831 lines (765 loc) · 26.2 KB
/
lecture2.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
<!DOCTYPE html>
<!--
Web 2.0, CTU course slides
(cc) 2010-2013 Tomas Vitvar, tomas@vitvar.com
-->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<meta name="course" content="Web 2.0" />
<meta name="lecture" content="Lecture 2" />
<meta name="keywords" content="JSON, JSONP, JavaScript, AJAX, CORS" />
<link type="text/css" rel="stylesheet" href="css/meta.css">
</link>
<link type="text/css" rel="stylesheet" href="css/ctu-fit.css">
</link>
<link type="text/css" rel="stylesheet" href="humla/lib/core/humla.css">
</link>
<script type="text/javascript" src="humla/lib/humla.js"></script>
<title>Browser Networking</title>
</head>
<body>
<footer>
<p><b>#META_LECTURE#: #TITLE#</b>, <span class="meta_semester" />,
<span class="meta_twitter" />
</p>
<p><b>‒ #SLIDE_NO# ‒</b></p>
</footer>
<div class="slide intro">
<hgroup>
<h1><span class="meta_course" /></h1>
<h2>#META_LECTURE#: #TITLE#</h2>
</hgroup>
<div class="author">
<p class="meta_author" />
<p><span class="meta_email" /> • <span class="meta_twitter" /> •
<span class="meta_web" />
</p>
</div>
<center>
<div class="meta_logo"></div>
</center>
<div class="org">
<p class="meta_org" />
<p><span class="meta_orgfac" /> • <span class="meta_field" />
• <span class="meta_orgweb" /></p>
</div>
<div class="etc">
<div class="text-info">
Modified: #LAST_MODIFIED#<br />
Humla v#HUMLA_VERSION#
</div>
<a href="http://creativecommons.org/licenses/by-sa/3.0/">
<div class="license"></div>
</a>
<div class="oppa"></div>
</div>
</div>
<div class="slide outline"></div>
<section>
<header>Browser Networking</header>
<div class="slide">
<hgroup>
<h1>Browser Networking</h1>
</hgroup>
<ul class="x-small">
<li>Browser</li>
<ul>
<li>Platform for fast, efficient and secure delivery of Web apps</li>
<li>Many components</li>
<ul>
<li>parsing, layout, style calculation of HTML and CSS, JavaScript execution speed, rendering
pipelines, and <b>networking stack</b></li>
</ul>
<li>When network is slow, e.g. waiting for a resource to arrive</li>
<ul>
<li>all other steps are blocked</li>
</ul>
</ul>
<img src="img/browser-networking-api.png" style="height: 270px"></img>
</ul>
</div>
<div class="slide">
<hgroup>
<h1>Connection Management</h1>
</hgroup>
<ul class="x-small">
<li>Network socket management and optimization</li>
<ul>
<li>Socket reuse</li>
<li>Request prioritization</li>
<li>Protocol negotiation</li>
<li>Enfocring connection limits</li>
</ul>
<li>Socket manager</li>
<ul>
<li>Sockets organized in pools (connection limits and security constraints)</li>
<li>origin = (protocol, domain, port number)</li>
</ul>
<img src="img/socket-manager.png" style="height: 240px"></img>
</ul>
</div>
<div class="slide">
<hgroup>
<h1>Network Security</h1>
</hgroup>
<ul class="x-small">
<li>No raw socket access for app code</li>
<ul>
<li>Prevents apps from initiating any connection to host</li>
<li>For example port scan, connect to mail server, etc.</li>
</ul>
<li>Network security</li>
<ul>
<li><b>Connection limits</b></li>
<ul>
<li>protect both client and server from resource exhaustion</li>
</ul>
<li><b>Request formatting and response processing</b></li>
<ul>
<li>Enforcing well-formed protocol semantics of outgoing requests</li>
<li>Response decoding to protect user from malicious servers</li>
</ul>
<li><b>TLS negotiation</b></li>
<ul>
<li>TLS handshake and verification checks on certificates</li>
<li>User is warned when verification fials, e.g. self-signed cert is used</li>
</ul>
<li><b>Same-origin policy</b></li>
<ul>
<li>Constraints on requests to be initiated and to which origin</li>
</ul>
</ul>
</ul>
</div>
<div class="slide">
<hgroup>
<h1>Mashups</h1>
</hgroup>
<ul class="x-small">
<li>Web application hybrid</li>
<ul>
<li>App uses APIs of two or more applications</li>
</ul>
<li>Types</li>
<ul>
<li>Data mashup – integration/aggregation of data (read only)</li>
<li>Service mashup – more sophisticated workflows (read, write)</li>
<li>Visualization – involves UI</li>
<ul>
<li>For example, third-party data displayed on the Google map</li>
</ul>
</ul>
<li>Client-Server View</li>
<ul>
<li>client-side mashups (in a browser)</li>
<ul>
<li>JavaScript, Dynamic HTML, AJAX, JSON/JSONP</li>
</ul>
<li>server-side mashups</li>
<ul>
<li>server-side integration of services and data</li>
<li>Any language</li>
</ul>
</ul>
</ul>
</div>
<div class="slide outline"></div>
<section>
<header>XHR</header>
<div class="slide">
<hgroup>
<h1>XMLHttpRequest (XHR)</h1>
</hgroup>
<ul>
<li>Interface to utilize HTTP protocol in JavaScript</li>
<ul>
<li>standardized by <span id="webapps-wg" class="h-ref"></span> at W3C</li>
<li>basis for AJAX</li>
<ul>
<li>Asynchronous JavaScript and XML</li>
</ul>
</ul>
<li>Typical usage</li>
<ol>
<li>Browser loads a page that includes a script</li>
<li>User clicks on a HTML element</li>
<ul>
<li>it triggers a JavaScript function</li>
</ul>
<li>The function invokes a service through XHR</li>
<ul>
<li>same origin policy, cross-origin resource sharing</li>
</ul>
<li>The function receives data and modifies HTML in the page</li>
</ol>
</ul>
</div>
<div class="slide">
<hgroup>
<h1>XHR Interface – Key Methods and Properties</h1>
</hgroup>
<ul class="x-small">
<li>Method and properties of XHR object</li>
<ul>
<li><code>open</code>, opens the request, parameters:<br />
<code>method</code> – method to be used (e.g. GET, PUT,
POST),<br />
<code>url</code> – url of the resource,<br />
<code>asynch</code> – true to make asynchronous call,<br />
<code>user</code>, <code>pass</code> – credentials for
authentication.</li>
<li><code>onReadyStateChange</code> – JavaScript function object, it is called when
<code>readyState</code> changes (uninitialized, loading, loaded, interactive, completed).
</li>
<li><code>send</code>, <code>abort</code> – sends or aborts the request
(for asynchronous calls)</li>
<li><code>status</code>, <code>statusText</code> – HTTP status code and a
corresponding text.</li>
<li><code>responseText</code>, <code>responseXML</code> – response as text or
as a DOM document (if possible).</li>
<li><code>onload</code> – event listener to support server push.</li>
</ul>
<li>See <span id="xhr-w3c" class="h-ref"></span>, or
<span id="xhr-moz" class="h-ref"></span> for a complete reference.
</li>
</ul>
</div>
<div class="slide">
<hgroup>
<h1>How XHR works</h1>
</hgroup>
<div style="height: 440px; margin-top: 20px" id="1kI3tlZl6PHZ_J_uwn_SVyT8_F05yE5Hi0B9pOEI37Z8"
class="h-drawing"></div>
</div>
</section>
<div class="slide outline"></div>
<section>
<header>Fetch API</header>
<div class="slide">
<hgroup>
<h1>Fetch API</h1>
</hgroup>
<ul class="small">
<li>XHR is callback-based, Fetch is promise-based</li>
<li>Interface to accessing requests and responses</li>
<ul>
<li>Provides global <code>fetch</code> method to fetch resources asynchronously</li>
<li>Can be easilly used in service workers</li>
<li>Supports CORS and other extensions to HTTP</li>
</ul>
<li>Interfaces</li>
<ul>
<li><code>Request</code> – represents a request to be made</li>
<li><code>Response</code> – represents a response to a request</li>
<li><code>Headers</code> – represents response/request headers</li>
</ul>
<li>Basic usage:</li>
<pre class="brush: javascript; class-name: 'tight'">
async function logMovies() {
const response = await fetch("http://example.com/movies.json");
const movies = await response.json();
console.log(movies);
}</pre>
</ul>
</div>
<div class="slide">
<hgroup>
<h1>Making request</h1>
</hgroup>
<ul class="x-small">
<li>A <code>fetch</code> function is available in global <code>window</code></li>
<li>It takes <code>path</code> and returns <code>Promise</code></li>
<pre class="brush: javascript; class-name: 'tight'">
fetch('https://api.github.com/users/tomvit')
.then(response => response.json())
.then(data => console.log(data))
.catch(error => console.error('Error:', error));</pre>
<li>You can make <code>no-cors</code> request</li>
<ul>
<li>With Fetch, the request will be handled as with putting <code>src</code> to
<code>img</code>
</li>
</ul>
<pre class="brush: javascript; class-name: 'tight'">
fetch('https://google.com', {
mode: 'no-cors',
}).then(function (response) {
console.log(response.type);
});</pre>
<li>You can access low-level body stream</li>
<ul>
<li>With XHR, the whole <code>responseText</code> would be loaded into memory.</li>
<li>With Fetch, you can read chunks of response and cancel the stream when needed.</li>
</ul>
</div>
</section>
</section>
<div class="slide outline"></div>
<section>
<header>Security Mechanisms</header>
<div class="slide" id="sameorigin">
<hgroup>
<h1>Same Origin Policy</h1>
</hgroup>
<div style="height: 310px" id="1xg_D6b_EBQDYol5Kk7b-UdhbuVsbjBHfaKaNTgH_rkY" class="h-drawing"></div>
<ul class="xx-small">
<li>JavaScript code can only access resources on the same domain</li>
<ul>
<li>XHR to GET, POST, PUT, UPDATE, DELETE</li>
<li>Browsers apply <b>same origin policy</b></li>
</ul>
<li>Solutions</li>
<ul>
<li>JSON and JSONP (GET only)</li>
<li>Cross-origin Resource Sharing Protocol (CORS)</li>
</ul>
</ul>
</div>
<div class="slide">
<hgroup>
<h1>Why Same Origin Policy?</h2>
</hgroup>
<ul>
<li>Without the same origin policy, the following POST would be possible</li>
</ul>
<div style="height: 350px; margin-top: 30px" id="1J14eY2C9O1g8oPI9GhkOn0tRCB5z_NodiBzPX2oEabY"
class="h-drawing"></div>
</div>
<div class="slide outline"></div>
<section>
<header>Scripting Attacks</header>
<div class="slide">
<hgroup>
<h1>Overview</h1>
</hgroup>
<ul class="small">
<li>Scripting Attacks</li>
<ul>
<li>Intruders make users perform action that has side effects on their resources</li>
<li>Intruders inject malicious code to Web pages</li>
</ul>
<li>Roles in Security Scenarios</li>
<ul>
<li>Alice, Bob</li>
<ul>
<li>Normal users, usually Alices wants to send a message to Bob or Alice accesses a
Bob's
site.</li>
</ul>
<li>Eve</li>
<ul>
<li>A user with bad intentions, usually a passive attacker.</li>
</ul>
<li>Mallory</li>
<ul>
<li>An active attacker, usually sends a link to a page with malicious code.
</ul>
</ul>
</ul>
</div>
<div class="slide">
<hgroup>
<h1>Recall: State management in HTTP</h1>
</hgroup>
<ul class="small">
<li>Request-response interaction with cookies</li>
<ul>
<li>Session is a logical channel maintained by the server</li>
</ul>
<div class="h-drawing" style="height: 250px" id="1mVCe8EtqVApZVRV_RHYQKtqDNELKdo84qzCqGvAs7iA">
</div>
<li>Stateful Server</li>
<ul>
<li>Server remembers the session information in a server memory</li>
<li>Server memory is a non-persistent storage, when server restarts the memory content is
lost!
</li>
</ul>
</ul>
</div>
<div class="slide">
<hgroup>
<h1>Cross-site Request Forgery (CSRF)</h1>
</hgroup>
<ul class="x-small">
<li>Exploits a trust of a website in a user's browser</li>
<li>Scenario</li>
<ol>
<li>Mallory sends a link to Alice (in an email, in a chat, etc.)</li>
<ul>
<li>The link points to a page that has HTML code with hrefs to Alice's private resources
</li>
<li>For example, to perform an action on Alice's account, <br />
it is possible to use <code>img</code> like this:</li>
<pre class="brush: html">
<img src="https://bank.com/account?do=transfer_money&amount=50000"/></pre>
</ul>
<li>Alice loads the page in her browser</li>
<ul>
<li>Alice is authenticated to the bank's website, the browser sends Alice's
authentication
cookies
with the request.</li>
</ul>
</ol>
<li>Issues and Prevention</li>
<ul class="xx-small">
<li>The bank site vilotes REST, i.e. overloading of GET for making actions</li>
<li>The bank should check HTTP <code>referer</code> header</li>
<li>It is a "blind" attack, Mallory does not see the result</li>
<li>To perform POST, current browsers today use <a href="#CORS">CORS protocol</a></li>
</ul>
</ul>
</div>
<div class="slide">
<hgroup>
<h1>Cross-site Scripting Attack (XSS)</h1>
</hgroup>
<ul>
<li>Exploits a trust of a user in a website</li>
</ul>
<div id="1pOK4HZPt7d4j-KSllCa8BUx5Amjlq28L6sQh3Wac8kI" class="h-drawing" style="height: 250px">
</div>
<ul class="small">
<li>Example Scenario</li>
<ol>
<li>An attacker injects a code to a page</li>
<li>A users executes the code in his/her browser's session</li>
<li>The code provides information (cookies) to the attacker</li>
<li>The attacker uses the cookies to access the user's data</li>
</ol>
</ul>
</div>
<div class="slide">
<hgroup>
<h1>XSS Examples</h1>
</hgroup>
<ul class="small">
<li>Twitter in Sep 2010</li>
<ul>
<li>Injection of JavaScript code to a page using a tweet</li>
<li>You posted following tweet to Twitter</li>
<pre class="brush: plain">
There is a great event happening at
http://someurl.com/@"onmouseover="alert('test xss')"/</pre>
<li>Twitter parses the link and wraps it with <code><a></code> element</li>
<pre class="brush: 'xml'">
There is a great event happening at
<a href="http://someurl.com/@"onmouseover="alert('test xss')"
target="_blank">http://someurl.com/@"onmouseover=
"alert('test xss')"/</a></pre>
<li>See details at <span id="twitter-xss" class="h-ref"></span></li>
</ul>
<li>Other example: Google Contacts</li>
</ul>
</div>
</section>
<div class="slide outline"></div>
<section>
<header>Cross-origin Resource Sharing Protocol (CORS)</header>
<div class="slide" id="CORS">
<hgroup>
<h1>Overview</h1>
</hgroup>
<ul>
<li>Increasing number of mashup applications</li>
<ul>
<li>client-side mashups involving multiple sites</li>
<li>mechanism to control an access to sites from within JavaScript</li>
</ul>
<li>Allow for <b>cross-site HTTP requests</b></li>
<ul>
<li>HTTP requests for resources from a different domain than the domain of the resource
making
the request.</li>
</ul>
<li>W3C Recommendation</li>
<ul>
<li>see <span class="h-ref" id="cors-w3c"></span></li>
<li>Browsers support it</li>
<ul>
<li>see <span class="h-ref" id="cors-moz"></span> at Mozilla</li>
</ul>
</ul>
</ul>
</div>
<div class="slide">
<hgroup>
<h1>CORS Protocol – GET</h1>
</hgroup>
<div style="height: 280px" id="1cAgbH75PndD38nY1IJo4QfN5Yp7siHQXfNF5oD6x9SM" class="h-drawing">
</div>
<ul class="x-small">
<li>Read-only resource access via HTTP GET</li>
<li>Headers:</li>
<ul>
<li><code>Origin</code> – identifies the origin of the request</li>
<li><code>Access-Control-Allow-Origin</code> – defines who can access the resource
</li>
<li>either the full domain name or the wildcard (*) is allowed.</li>
</ul>
</ul>
</div>
<div class="slide">
<hgroup>
<h1>CORS Protocol – other methods and "preflight"</h1>
</hgroup>
<div style="height: 320px" id="1-dVhDx5pka4BElYu0WzFkqkLQWsb8aphcy16l-bET80" class="h-drawing">
</div>
<ul class="xx-small">
<li>Preflight request queries the resource using <code>OPTIONS</code> method</li>
<ul>
<li>requests other than GET (except POST w/o payload) or with custom headers</li>
<li>A browser should run preflight automatically for any XHR request meeting preflight
conditions</li>
<li>The browser caches responses according to <code>Access-Control-Max-Age</code></li>
</ul>
</ul>
</div>
</section>
</section>
<div class="slide outline"></div>
<section>
<header>JSON and JSONP</header>
<div class="slide">
<hgroup>
<h1>Recall: JSON</h1>
</hgroup>
<ul class="x-small">
<li>JSON = JavaScript Object Notation</li>
<ul>
<li>Serialization format for data representation</li>
<li>Very easy to use in JavaScript</li>
<ul>
<li>no need to use a parser explicitly</li>
</ul>
<li>Also great support in many programming environments</li>
</ul>
<li>Key constructs</li>
<ul class="xx-small">
<li><b>object</b> is a collection of comma-separated key/value pairs:<br />
<code>{"name" : "tomas", "age" : 18, "student" : false, "car" : null}</code>
</li>
<li style="margin-top: 5px"><b>array</b> is an order list of values:<br />
<code>[ "prague", "innsbruck", 45 ]</code>
</li>
<li style="margin-top: 5px">can be nested: objects as values in an <b>array</b>:<br />
<code>[ { "name" : "tomas", "age" : 18 }, <br /> { "name" : "peter", "age" : 19 } ]</code>
</li>
<li style="margin-top: 5px">and the other way around: array as values in an <b>object</b>:<br />
<code>{ "cities" : ["prague", "innsbruck"],<br /> "states" : ["CZ", "AT"] }</code>
</li>
<li style="margin-top: 5px">A complete grammar see <span id="json" class="h-ref"></span></li>
</ul>
</ul>
</div>
<div class="slide">
<hgroup>
<h1>JSON in JavaScript</h1>
</hgroup>
<ul class="x-small">
<li>Native data format</li>
<pre class="brush: javascript; class-name: 'tight'">
// data needs to be assigned
var data = { "people" : ["tomas", "peter", "alice", "jana"] };
// go through the list of people
for (var i = 0; i < data.people.length; i++) {
var man = data.people[i];
// ... do something with this man
}</pre>
<li>Responses of service calls in JSON</li>
<ul>
<li>Many support JSON, how can we load that data?</li>
</ul>
<li>Example Request-Response</li>
<pre class="brush: javascript; class-name: 'tight'">
GET http://pipes.yahoo.com/pipes/pipe.run?_id=638c670c40c97b62&_render=json
{"count":1,"value":
{"title":"Web 2.0 announcements",
"description":"Pipes Output",
"link":"http:\/\/pipes.yahoo.com\/pipes\/pipe.info...",
"pubDate":"Mon, 07 Mar 2011 18:27:20 +0000",
"generator":"..."
...
}
}</pre>
</ul>
</div>
<div class="slide">
<hgroup>
<h1>JSONP</h1>
</hgroup>
<ul class="x-small">
<li>Service that supports JSONP</li>
<ul>
<li>allows to specify a query string parameter for a wrapper function
to load the data in JavaScript code</li>
<li>otherwise the data cannot be used in JavaScript</li>
<ul>
<li>they're loaded into the memory but assigned to nothing</li>
</ul>
</ul>
<li>Example</li>
<ul>
<li>if a resource at <code style="zoom: 0.9">http://someurl.org/json_data</code> returns
<pre class="brush: javascript; gutter: false">
{ "people" : ["tomas", "peter", "alice", "jana"] }</pre>
then the resource at<br />
<code style="zoom: 0.9">http://someurl.org/json_data?_callback=loadData</code> returns
<pre class="brush: javascript; gutter: false">
loadData({ "people" : ["tomas", "peter", "alice", "jana"] });</pre>
</li>
</ul>
<li>A kind of workaround for the same origin policy</li>
<ul>
<li>only <code>GET</code>, nothing else works obviously</li>
<li>no XHR, need to load the data through the dynamic <code><script></code> element</li>
</ul>
</ul>
</div>
<div class="slide">
<hgroup>
<h1>JSONP in JavaScript</h1>
</hgroup>
<ul class="xx-small">
<li>JSONP example</li>
<ul>
<li>loads JSON data using JSONP by dynamically inserting <code><script></code>
into the current document. This will download JSON data and triggers the script.</li>
</ul>
<pre class="brush: javascript">
var TWITTER_URL = "http://api.twitter.com/1/statuses/user_timeline.json?" +
"&screen_name=web2e&count=100&callback=loadData";
// this needs to be loaded in window.onload
// after all document has finished loading...
function insertData() {
var se = document.createElement('script');
se.setAttribute("type","text/javascript");
se.setAttribute("src", TWITTER_URL);
document.getElementsByTagName("head")[0].appendChild(se);
// And data will be loaded when loadDta callback fires...
}
// loads the data when they arrive
function loadData(data) {
// we need to know the the structure of JSON data that is returned
// and code it here accordingly
for (var i = 0; i < data.length; i++) {
data[i].created_at // contains date the tweet was created
data[i].text // contains the tweet
}
}</pre>
</ul>
</div>
<!-- <div class="slide">
<hgroup>
<h1>JSON Vulnerability</h1>
</hgroup>
<ul class="x-small">
<li>What it is</li>
<ul>
<li>JSON array data accessible via GET (normal access is via XHR)</li>
<li>Attacker may load the data in a <code>script</code>, redefine <code>Array</code> object,
and assign the data to a variable.</li>
<li>Attacker's page with a script that you access:</li>
<ul>
<li>your browser uses your cookies to load the resource</li>
</ul>
</ul>
<pre class="brush: html; highlight: [3,4]; class-name: tight">
<script type="text/javascript">
var yourData;
Array = function() {
yourData = this;
}
</script>
<script src="yourdomain.cz/yoursecretdata.json" type="text/javascript"></script></pre>
<li>Prevention</li>
<ul class="xx-small">
<li>Using prefix in the data – the prefix makes the JSON data invalid; the client must
strip the prefix before parsing the data as JSON</li>
<pre class="brush: javascript; class-name: tight">
[ "a": "account", 433, 5543 ]</pre>
<li>Use only POST for sensitive data</li>
</ul>
</ul>
</div> -->
</section>
<!-- <div class="slide outline"></div>
<section>
<header>Application State</header>
<div class="slide">
<hgroup>
<h1>Application State</h1>
</hgroup>
<ul class="x-small">
<li>Application state in Web 1.0 apps</li>
<div style="height: 260px; margin-left: -30px"
id="1ikPrTDmdmCzwR3OcGESteSMUnHQ-B9VRhuaOeQGki9A" class="h-drawing"></div>
<li>Application state in Web 2.0 apps</li>
<ul>
<li>JavaScript code changes the state</li>
<ul>
<li>the URL should contain the state information</li>
</ul>
<li>JavaScript cannot modify the whole URL but only the hash (<code>#</code>) part</li>
<li><code>http://seller.com/products</code> becomes <code>http://seller.com/#products</code></li>
</ul>
</ul>
</div>
<div class="slide">
<hgroup>
<h1>Application State and Web Crawling</h1>
</hgroup>
<ul class="x-small">
<li>Obviously we want our pages to be crawlable</li>
<ul>
<li>JavaScript generated content on clients does not exist on the server</li>
</ul>
<div style="height: 250px; margin-left: -30px" id="1u-6vCrF9f6rojKEY2Dxtgrss06MckN4SV1f0YuF1ptU"
class="h-drawing"></div>
<li>Solutions</li>
<ul>
<li>Crawler runs headless Browser – not feasible</li>
<ul>
<li>high requirements for computing resources</li>
</ul>
<li>Server generates content according to specific rules</li>
<ul>
<li>Google AJAX Crawling</li>
</ul>
</ul>
</ul>
</div>
<div class="slide">
<hgroup>
<h1>Google AJAX Crawling</h1>
</hgroup>
<ul class="x-small">
<li>Steps</li>
<ol>
<li>Web app provider exposes AJAX content with pretty URLs<br/>
<code>http://seller.com/#!products</code></li>
<li>Web crawler finds those URLs</li>
<li>Web crawler transforms the pretty URL to ugly URL<br/>
<code>http://seller.com/?_escapped_fragment_=products</code></li>
<li>Web crawler access the content of the page at ugly URL and indexes it</li>
</ol>
<li>Prerequisites</li>
<ul>
<li>Web app provider must expose AJAX generated content at ugly URLs</li>
<li>Options:</li>
<ul>
<li>uses a headless browser to generate the content at the server</li>
<li>rewrites the JavaScript code in a server-side language</li>
</ul>
</ul>
<li>Reference</li>
<ul>
<li>See <span id="ajax-crawling" class="h-ref"></span> for details</li>
</ul>
</ul>
</div>
</section> -->
</body>
</html>